Application security tools may facilitate modification of runtime code to detect and modify code that might present security issues. In particular, as an application runs, an instrumenter sits inside the application process and is notified of code that is about to be executed. The instrumenter looks at the code, applies a ruleset to the code, and determines whether the code should be modified. Responsive to determining that the code should be modified, the instrumenter modifies the code to determine whether a security issue exists.